CVE-2016-0792: XStream Deserialization in Jenkins

CVE-2016-0792 is a critical vulnerability in Jenkins, an open-source automation server widely used for continuous integration and delivery (CI/CD). This flaw stems from an insecure deserialization issue in the XStream library, which Jenkins uses to process XML input. An unauthenticated attacker can exploit this vulnerability to achieve Remote Code Execution (RCE) on the underlying server, potentially leading to full system compromise.

Vulnerability Overview

The vulnerability exists because Jenkins does not properly validate or sanitize XML input processed by the XStream library. XStream is used to deserialize XML data into Java objects, but it allows the reconstruction of arbitrary object types - including those that can execute system commands.

Jenkins includes several third-party libraries and components, such as Groovy, which provide powerful scripting capabilities. When combined with insecure deserialization, these components become "gadgets" that attackers can chain together to execute arbitrary code.

No Authentication Required: In many default configurations, this endpoint is accessible without authentication, making it a high-risk exposure.

Exploitation: Remote Code Execution via XML Payload

The exploit involves sending a specially crafted XML payload to a Jenkins endpoint that accepts serialized data. The following example uses a groovy.util.Expando gadget to invoke java.lang.ProcessBuilder, allowing command execution.

Malicious XML Payload:

This payload:

Creates a Groovy Expando object.
Uses MethodClosure to bind a method call to ProcessBuilder.
Specifies a command (uname) to execute on the system.
Triggers execution via the start method.

Sending the Exploit

The payload can be sent to the Jenkins /createItem endpoint, which processes XML configuration data:

Upon receiving this request, Jenkins deserializes the XML and executes the uname command. The output is not returned in the HTTP response, but the command runs on the server.

For interactive access, replace the command with a reverse shell:

Impact

Successful exploitation allows:

Full remote command execution on the Jenkins server.
Access to credentials, build artifacts, and source code.
Pivoting to internal networks if Jenkins is in a restricted environment.
Persistence via job creation or script console access.

Since Jenkins often runs with elevated privileges, the attacker may gain full control over the host system.

Mitigation and Remediation

Immediate Actions:

Upgrade Jenkins: Ensure you are running a patched version of Jenkins (1.650 or later, or LTS 1.642.2 or later).
Update XStream: Use XStream version 1.4.9 or later, which includes security fixes for deserialization flaws.
Restrict Network Access: Expose Jenkins only via a VPN or internal network - never directly to the internet.
Enable CSRF Protection: Ensure CSRF protection is enabled under Manage Jenkins > Configure Global Security.
Disable CLI over HTTP: Disable CLI access over HTTP/REST if not required.

Long-Term Security Best Practices:

Run Jenkins with a dedicated, low-privilege system user.
Use a reverse proxy (e.g., NGINX) with strict content filtering.
Regularly audit jobs, plugins, and user permissions.
Monitor logs for suspicious XML POST requests to /createItem or /script.

Detection Using Greenbone (GVM)

You can detect vulnerable Jenkins instances using automated vulnerability scanners like Greenbone Vulnerability Management (GVM).

Run a web scan targeting the Jenkins server.
Look for tests related to "Jenkins Unauthenticated RCE" or "XStream Deserialization".
Check for open ports (typically 8080) and Jenkins version banners.

Greenbone leverages over 180,000 automated vulnerability tests and can identify outdated Jenkins versions and misconfigurations that expose this CVE.

On This Page